If you’re programming in PHP your familiar with Composer and more specifically with the composer install, composer require and composer update commands. But did you know there are more commands? Let’s take a look at these unknown commands and what they offer.

Composer outdated

The composer outdated command returns a list of installed packages and the latest version available. Using the flags --direct --no-dev --patch-only --locked the full list can be reduced to a set of direct non-dev dependencies which have a patch version update available. These should be easy updates to apply to you codebase.

$ composer outdated
Color legend:
- patch or minor release available - update recommended
- major release available - update possible
  doctrine/dbal 3.6.4 3.6.6 Powerful PHP database abstraction layer (DBAL) with many features for database schema introspection and management.
  laravel/framework v9.52.10 v10.20.0 The Laravel Framework.

Composer audit

Using composer audit command runs a check of the installed versions of your dependencies against the Packagist Security Advisories similar to a npm audit This command is actually one you should run in the project pipeline, where it would block any work to be merged making fixing the vulnerability the top priority.

$ composer audit
Found 1 security vulnerability advisory affecting 1 package:
| Package           | symfony/http-kernel                                         |
| CVE               | CVE-2022-24894                                              |
| Title             | CVE-2022-24894: Prevent storing cookie headers in HttpCache |
| URL               | https://symfony.com/cve-2022-24894                          |
| Affected versions | >=2.0.0,<2.1.0|>=2.1.0, ... ,<6.1.12|>=6.2.0,<6.2.6         |
| Reported at       | 2023-02-01T08:00:00+00:00                                   |

This command also has a --locked flag to run the check based on the composer.lock contents instead of the installed versions on disk. And similar to the composer outdated command there is also a --no-dev flag, but depending on your level of strictness you may want to skip this flag as all vulnerabilities should be fixed.

Composer bump

The composer bump command might the most unknown command. This command updates the requirements in the composer.json file bumping the requirement constraint to the current version installed. This would prevent accidental downgrades of a package. Secondly there is a bonus side effect, making the dependency tree resolution faster as the number of packages that are possible for installation is being reduced.

$ composer bump
./composer.json has been updated (17 changes).

Composer depends

Ever wondered why a specific package is installed? This is where the composer depends command can help. Using the composer outdated or composer audit commands you might run into a child dependency deeper in the dependency tree, and you want to see how this is a dependency for your project.

$ composer depends json-mapper/json-mapper --tree
json-mapper/json-mapper 2.14.4 Map JSON structures to PHP classes
└──json-mapper/laravel-package 2.3.0 (requires json-mapper/json-mapper ^2.3)
   └──infi/infilytics dev-develop (requires json-mapper/laravel-package ^2.3)

The above output shows that json-mapper/json-mapper is a child dependency of infi/infilytics because json-mapper/laravel-package requires it.

Composer prohibits

With the command composer prohibits you can achieve (kind of) the opposite of the composer depends command. Using this command you can get a detailed output on why a certain package cannot be installed, resulting in a more effective search for a solution.

$ composer prohibits "json-mapper/json-mapper" "^1.0"
json-mapper/laravel-package 2.4.0       requires         json-mapper/json-mapper (^2.3)
json-mapper/json-mapper     1.4.2       requires         psr/log (^1.1)                            
infi/infilytics             dev-develop does not require psr/log (but 3.0.0 is installed)          
json-mapper/json-mapper     1.4.2       requires         psr/simple-cache (^1.0)                   
infi/infilytics             dev-develop does not require psr/simple-cache (but 3.0.0 is installed)

In the above example the package json-mapper/json-mapper with version constraint ^1.0 cannot be installed as the installed json-mapper/laravel-package with version 2.4.0. require json-mapper/json-mapper with the version constraint ^2.3`

Composer licenses

It might be the case that licenses of your dependencies should be using a limited set of one specific license type should never be part of you application. For this scenario you can use the composer licenses command which will return a list of all your dependencies and the license listed in their respective composer.json.

$ composer licenses
json-mapper/json-mapper                2.19.0              MIT
json-mapper/laravel-package            2.4.0               MIT
laravel/framework                      v9.52.10            MIT
phpoption/phpoption                    1.9.1               Apache-2.0
phpunit/phpunit                        9.6.9               BSD-3-Clause

Composer clear-cache

This final command is one that you might only need in very rare cases, but it is still a command that can help you in case you run into weird behaviour during composer install or composer require commands. Running the composer clear-cache command will remove all you local caches that Composer uses in the background.

$ composer clear-cache
Clearing cache (cache-vcs-dir): /Users/danny/Library/Caches/composer/vcs
Clearing cache (cache-repo-dir): /Users/danny/Library/Caches/composer/repo
Clearing cache (cache-files-dir): /Users/danny/Library/Caches/composer/files
Clearing cache (cache-dir): /Users/danny/Library/Caches/composer
All caches cleared.

This command can also be very helpful if you want to clean up packages you should no longer have in your possession, due to a project termination or an expired license.

Closing remarks

As you can see there are move Composer commands then you might have guessed and there are even more. If you want to see all available commands you can run composer list to get a complete overview. Using this blog I hope the above commands are now “less unknown” as they are very useful in some situations.

See if you can add steps to your pipeline for composer audit and composer outdated. Combined with a scheduled run of the pipeline(s) in the early morning can make you aware of a vulnerability or upgrade even before you have your first sip of coffee.

Found a typo? Please help improve this article.

Previous Post
Figuring out how parallel processing works in PHP
Blog Archive
Archive of all previous blog posts